← 返回 Skills 市场

Clone Farm Detector

Name: Clone Farm Detector
Author: andyxinweiminicloud

作者 andyxinweiminicloud · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

536

总下载

当前安装

版本数

在 OpenClaw 中安装

/install clone-farm-detector

功能描述

Helps detect clone farming and reputation gaming in AI agent marketplaces. Identifies near-duplicate skills that wash IDs, batch-publish patterns, and artifi...

使用说明 (SKILL.md)

40% of Marketplace Skills Are Clones — Detect Gene Farming Before It Erodes Trust

Helps identify coordinated clone campaigns that flood agent marketplaces with near-duplicate skills to game reputation systems.

Problem

Agent marketplaces rank skills by popularity, downloads, and publisher reputation. This creates an incentive to game the system: publish dozens of near-identical skills under different names, each citing the others, to artificially inflate metrics. The result? Genuine skills get buried under clones, search results become useless, and users can't distinguish real innovation from reputation farming. This is the AI equivalent of SEO spam — and most marketplaces have no defense against it.

What This Checks

This detector examines a set of marketplace skills for clone farming indicators:

Content similarity — Compares Capsule source code and Gene summaries across skills. Near-identical content with trivially changed variable names, comments, or formatting suggests cloning
Batch publish patterns — Multiple skills published by the same node within a short time window, especially with sequential or templated naming
ID washing — Skills with different SHA-256 hashes but functionally identical code, achieved by injecting whitespace, comments, or no-op statements to bypass deduplication
Cross-citation rings — Skills that reference each other in dependency chains without functional necessity, creating artificial trust graphs
Metadata templating — Identical description structures, same emoji sets, copy-paste summaries with only the noun changed

How to Use

Input: Provide one of:

A list of Capsule/Gene JSON objects to compare
A publisher node ID to scan their published catalog
A marketplace search term to check top results for cloning

Output: A structured report containing:

Cluster groups of similar/identical skills
Similarity scores between flagged pairs
Publishing timeline analysis
Risk rating: CLEAN / SUSPECT / FARMING
Evidence summary for each cluster

Example

Input: Scan top 10 results for "code formatter" on marketplace

🧬 FARMING DETECTED — 2 clone clusters found

Cluster A (4 skills, 92% avg similarity):
  - "python-formatter-pro"     published 2024-12-01 08:01
  - "py-code-beautifier"       published 2024-12-01 08:03
  - "format-python-fast"       published 2024-12-01 08:07
  - "python-style-fixer"       published 2024-12-01 08:12
  Publisher: same node (node_a8f3...)
  Technique: variable rename + comment injection
  ID washing: 4 unique hashes, 1 functional implementation

Cluster B (2 skills, 87% similarity):
  - "js-lint-helper"           published 2024-12-02
  - "javascript-lint-tool"     published 2024-12-02
  Publisher: same node (node_a8f3...)
  Cross-cites Cluster A skills as "dependencies"

Total: 6/10 top results are clones from one publisher.
Recommendation: Flag publisher for review. Genuine skills in results: 4/10.

Limitations

Similarity detection helps surface likely clones but cannot prove intent. Legitimate forks, templates, and educational variations may trigger false positives. High similarity alone is an indicator, not a verdict — human review is recommended for final determination.

安全使用建议

This skill describes a sensible analytic purpose, but the runtime instructions are high-level and do not include scripts, endpoints, or handling rules. Before installing or running it: 1) Confirm how the agent will obtain marketplace data (public pages vs private APIs) and whether any credentials are needed — don't supply secrets unless you understand where they will be used. 2) Ask the skill author for concrete commands or scripts (or an install package) if you want the skill to run local analysis with curl/python3; otherwise the agent may try ad-hoc network calls. 3) If you plan to scan private or sensitive skills, require assurances (and ideally code) showing how data is stored/transmitted and that no external exfiltration occurs. If the author cannot provide clearer runtime details, treat the skill cautiously or test it in a sandboxed environment.

功能分析

Type: OpenClaw Skill Name: clone-farm-detector Version: 1.0.0 The provided files consist of standard metadata (`_meta.json`) and a detailed skill description (`SKILL.md`). The skill's stated purpose is to detect 'clone farming' and 'reputation gaming' in AI agent marketplaces, which is a beneficial security function. The `SKILL.md` clearly outlines the skill's functionality, inputs, and outputs without containing any prompt injection attempts, hidden commands, or instructions for the AI agent to perform actions outside its stated, benign purpose. The required binaries (`curl`, `python3`) are common and align with the described data fetching and analysis tasks. No executable code is provided to analyze for vulnerabilities or malicious implementations, but the intent and documentation are benign.

能力评估

ℹ Purpose & Capability

Name and description (detect clone farming in a marketplace) align with requiring network fetch and analysis tools. However, the skill declares required binaries (curl, python3) despite being instruction-only and providing no scripts; that's plausible but not strictly justified by the materials provided. No environment variables or credentials are requested, which is consistent with a read-only public-scan use case, but the skill does not explain how it will access marketplace data (public endpoints vs. private APIs).

⚠ Instruction Scope

SKILL.md describes expected inputs (Capsule/Gene JSONs, publisher node id, or search term) and outputs, and lists what it checks, but it lacks concrete runtime instructions: it does not specify how to fetch marketplace data, what endpoints to call, or whether fetching requires credentials. The document also doesn't say whether any collected code or metadata will be transmitted externally. The lack of precise commands or safe-handling guidance grants wide discretion to the agent and could lead to unexpected data access or exfiltration if the agent implements its own fetching logic.

✓ Install Mechanism

There is no install spec and no code files — lowest-risk install surface. No downloads or package installs are declared.

ℹ Credentials

The skill requests no environment variables or credentials, which is proportionate for a public-data analysis. That said, realistically scanning publisher catalogs or private marketplace APIs may require credentials or elevated access; the absence of any guidance about credential requirements or safe handling is a gap. If you plan to feed private marketplace data, be aware credentials might be needed and are not declared here.

✓ Persistence & Privilege

The skill does not request persistent/always-on presence (always: false) and does not request other skills' configs or system-wide settings. Autonomous invocation is allowed (the platform default) but not excessive here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install clone-farm-detector
安装完成后，直接呼叫该 Skill 的名称或使用 /clone-farm-detector 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of clone-farm-detector. - Detects clone farming and reputation gaming in AI agent marketplaces. - Flags near-duplicate skills, batch publishing patterns, ID washing, cross-citation rings, and metadata templating. - Accepts skills, publisher IDs, or search terms as input. - Outputs risk ratings, similarity clusters, timeline analysis, and evidence summaries.

元数据

Slug clone-farm-detector

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题